Memcached is an in-memory key-value store for small chunks of arbitrary data (strings, objects) from results of database calls, API calls, or page rendering.

Memcached is simple yet powerful. Its simple design promotes quick deployment, ease of development, and solves many problems facing large data caches. Its API is available for most popular languages.

At heart it is a simple Key/Value store.

http://memcached.org/

Background

Last week I came across a service on the Internet running on TCP port 11211, Memcached’s default port. I had heard of Memcached before but I probably only knew it was some kind of database system, that was the extent of my familiarity with it.

I quickly learnt that connecting to Memcached does not require authentication. Authentication can be implmented but even then Memcached’s own documentation says it should not be fully trusted.

Using SASL authentication here helps, but should not be totally trusted.

Give me the data!

I have a database server which I can connect to (you can use Telnet) without any authentication, great! Give me the data!

Now here lies the problem, Memcached is a Key/Value store. To get any data from the key’s values I need to know the key name first and the key name can be any string. I was also told that there was no way to get the key names from a Memcached server.

Stats

I found a Ruby Gem called dalli which is a Memchaced client and started to play around with the API, one interesting Memchaced call is the stats one.

Here is some example output when the stats command is executed on a remote Memcached server:

The number after items: is a slab id, we can easily extract the slab ids with the following regex ^items:(\d*):.

Now we have some slab ids we can use cachedump do get the key name and once we have the key name we can extract the key value. Unfortunatly the dalli gem doesn’t have an API call for cachedump, however, this can be done easily over Telnet or the like.

Values (the meat!)

To get the key value I just used the dalli gem’s get(key_name) API call. I did come across some interesting data but most of the time no data was returned. I guess it depends on how frequently the Memcached server is used.

Using massscan I scanned some net blocks for TCP port 11211 to see how popular Memcached was and how how frequently it was listening over the Internet despite Memcached’s own documentation advising against this.

Memcached does not spend much, if any, effort in ensuring its defensibility from random internet connections. So you must not expose memcached directly to the internet, or otherwise any untrusted users.

Conclusion

After all this I came across a blog post by SensePost who did all of this back in 2010. They even wrote a tool called go-derper which I havn’t had the chance to try yet. My Google Fu must have been weak when I first came across the Memcached server on the Internet. Nevertheless I learned a little about Memcached and will be prepared next time I come across it. Hopefully you learned a little about it too.

There was no Metasploit module to extract data from a Memcached server, maybe this is something I can do in future if I get the time or someone else can do if they’re interested. Metaploit did have a DoS exploit (CVE-2011-4971) for Memcached though.